The Lego Hack: How Researchers discovered XSS and SSRF Vulnerabilities
Learn how Researchers discovered XSS and SSRF Vulnerabilities in The Lego Marketplace Hack.
Jaydev Ahire
5 min read
Did you know that researchers recently uncovered some serious vulnerabilities in a popular Lego online marketplace? These vulnerabilities, known as cross-site scripting (XSS) and server-side request forgery (SSRF), could have allowed hackers to take over user accounts, access sensitive data stored on the platform, and even gain access to internal production data to compromise corporate services. But don't worry, there are steps that organizations can take to fix these vulnerabilities and keep the platform safe. In this article, we'll delve into the specifics of XSS and SSRF and explore how companies can protect themselves from these types of attacks. So if you're a fan of Lego (or just want to keep your online data secure), keep reading!
Lego Marketplace hack: Background
The beloved toy company Lego has an online marketplace for buying and selling their products. It's called BrickLink, and it's a digital platform used by millions of Lego fans around the world. But recently, researchers from Salt Labs (the research arm of Salt Security) uncovered some worrying vulnerabilities in the BrickLink platform. These vulnerabilities could have allowed hackers to gain unauthorized access to the platform or steal sensitive information of users.
Vulnerability breakdown
Researchers identified two vulnerabilities in the BrickLink digital resale platform by analyzing areas of the site that accept user input.
Researchers discovered cross-site scripting (XSS) XSS vulnerability in the "Find Username" dialogue box of the coupon search feature on BrickLink. This vulnerability allowed them to inject and execute malicious code on a victim user's browser through a specially crafted link. But that's not all - the researchers also found an exposed Session ID on a different page, which they were able to combine with the XSS vulnerability to hijack the user's session and gain control of their account. This type of account takeover could have allowed attackers to steal sensitive user data or take complete control of user accounts.
Researchers also discovered a vulnerability on the platform's "Upload to Wanted List" page, which allows users to upload lists of desired Lego parts and sets in XML format. By using this feature, the researchers were able to successfully execute an XML External Entity (XXE) injection attack. This type of attack occurs when a vulnerable XML parser processes an XML input containing a reference to an external entity. By leveraging the XXE injection, the researchers were able to read files on the web server and launch a server-side request forgery (SSRF) attack. This SSRF attack could potentially be used to steal AWS EC2 tokens from the server, which could have been a serious security concern for the BrickLink platform.
Thankfully, the Lego Group has fixed these vulnerabilities and keeping their platform safe for all users.
Test for XSS and SSRF using the best proactive API Security product
Our customers love us for our proactive approach and world class API Security test templates. Try Akto's test library yourself in your testing playground. Play with the default test or add your own.
How to prevent such API vulnerabilities:
Are you worried about API vulnerabilities like XSS and SSRF on your website or application? Don't worry, there are steps you can take to protect yourself and your users! Here are a few tips for preventing these types of vulnerabilities:
Properly validate and sanitize user input: This can help to ensure that your site or application is not vulnerable to malicious code being injected by attackers. You can do this using techniques like input filtering, input validation, and output encoding.
Disable external entity processing in your XML parser: By default, XML parsers are configured to process external entities, which can make them vulnerable to XXE injection attacks. To prevent this, you can disable external entity processing by setting the "disallow-doctype-decl" or "no-external-general-entities" options in your parser.
Whitelist Domains in DNS: Whitelisting any domain or address that your application queries is the best approach to prevent SSRF.
Restrict request protocols: Requests to servers are typically made over HTTPS, but occasionally HTTP as well. Therefore, block requests with ftp:/ and gopher:/ because we are aware that only these protocols are in use. Blocking file:/ will also stop attackers from retrieving files
Set the "HttpOnly" flag on your cookies: This security feature prevents cookies (like session IDs) from being stolen by attackers. When the HttpOnly flag is set, cookies cannot be accessed by client-side scripts like JavaScript.
Implement a content security policy (CSP): A CSP defines which content sources can be loaded on your site or application, which can help to prevent the execution of malicious code that an attacker might try to inject.
Use API security tools like Akto: These tools can help you test your APIs for vulnerabilities like XSS and SSRF, so you can fix any issues before they become a problem.
By following these tips, you can help to keep your site or application safe from API vulnerabilities like XSS and SSRF.
Lessons:
All large businesses have massively increased their usage of APIs to build applications. As a result, APIs have become one of the most common attack vectors for hackers looking to gain access to user data. Just look at the recent data breach at Australian telco Optus - over 9.8 million customer records were exposed, including names, addresses, birth dates, and even government-issued identification numbers. This is just one example of the many API security risks and vulnerabilities that businesses need to be aware of. In fact, according to HackerOne, last year (2022) hackers spent a staggering 45% of their time attacking APIs. That's a lot of potential attacks to worry about! We did a detailed analysis in the blog here. To learn more about API security and stay up to date on the latest incidents around the world, be sure to keep an eye on this space.
Reference:
Keep reading
News
7 mins
March Product News: 98 New Tests, Dynamic wordlists, and more
This edition of Akto’s newsletter is packed with new features and tests that will greatly decrease your API Security testing time and increase targeted testing.
Product updates
5 mins
Detailed Errors on Postman and Swagger File Import
Akto now replays APIs to automatically get data during an import of Postman and Swagger files and transparently displays reasons why each specific API couldn't be replayed in the case of an error.
Product updates
5 mins
Added 98 New API Security Tests across 5 OWASP categories
Akto has introduced new tests across several categories including BOLA, Broken Authentication, Unrestricted Resource Consumption, BFLA, and SSRF that you can explore with Akto’s Test Editor.